Reflections on the PCI DSS for Virtualization Guidelines and Father’s Day

My father was a small business man. At 6’2” and 250 lbs., he was a large small business man. After learning the ropes of North American retail business at Sears for 13 years, he opened up a (literally speaking) Mom and Pop appliance store serving a rural community, where he thrived by nature of his shrewd business acumen and competitive margins. He also recognized the value of technology tools early on. It was rare to see him without his trusty HP-12C business calculator using reverse Polish logic.

Later when he expanded his stores geographically, he leased a mainframe at a then-astronomical rate in the 6 figures per year range to do what we could probably do on an Ipad today: inventory control, accounts receivable and payable (and yes – that included customer credit card information), and payroll. In retrospect, it seems that he may have been “swatting flies with a sledgehammer”, but in the 1980’s, there weren’t a lot of alternatives and his information was important to him. He relied on information to make smart decisions and outwit the “big guys down the block”. This information was so valuable to him that he took measures to protect the backup tapes so that he could continue to conduct business in the event of a fire, flood, or other catastrophe – he put the tapes in the freezer! As a dyed-in-the-wool appliance man, he knew that freezers were well insulated to keep food things cold as well as protect against natural disasters. This gave him a sense of security in that he knew he could provide for his family, ensuring what modern IT marketing managers call “Business Continuity”.

Recently, the PCI Security Standards Council published an information supplement called PCI DSS Virtualization Guidelines. After having read through it, I would summarize the document thusly: Treat your virtually-stored information in the same manner you would your physically-stored information. After all, the threats are the same, and the value of the information hasn’t diminished in that the storage medium has changed. Enterprise level businesses were among the first to see the benefits of reallocating underutilized servers as well as reap the cost saving benefits associated with a smaller server farm footprint, the associated power consumption reduction and physical security requirements. But as Gartner reports in this eWeek article, >50% of SMBs are forecasted to jump on the virtualization bandwagon by the end of 2012.

I’ll wager that Dad would have been one of the virtualization early adopters.